Protenus, working with Databreaches.net, has released its Breach Barometer mid-year review. The report includes all healthcare data violations reported over the past six months and gives important insights into the latest data breach trends.
The Breach Barometer is a detailed review of healthcare data breaches, including not only the data breaches made known to the Department of Health and Human Services’ Office for Civil Rights’ breach reporting tool, but also public media reports of incidents and public findings. Prior to being included in the report, all breaches must be independently confirmed as genuine by databreaches.net. The Breach Barometer reports look into the main factors causing data breaches suffered healthcare providers, health plans and their business associates.
In a webinar broadcast on Wednesday, Protenus Co-Founder and president Robert Lord and Dissent of databreaches.net went through the findings of the mid-year review.
Lord talked about the finding that between January and June 2017 there have been 233 reported data breaches reported. Those breaches have hit 3,159,236 patients. The biggest reported violation in the first half of the year lead to the theft of 697,800 records and was caused by a rogue employee – one of 96 incidents involving insiders.
Out of those 96 incidents, 57 were due to mistakes by individuals within an organization – 423,000 records – and 36 incidents due to insider errors –743,665 records. The remaining three breaches could not be classified into any one area.
Insider incidents are likely to be much higher than the figures included in the Breach Barometer report. Dissent referred to the likelihood that many incidents are not being disclosed publicly or reported to HHS. One of the best examples being MongoDB databases that have not been configured correctly. Dissent explained that many groups have not reported that protected health information has been released online, even though security researchers have discovered data could be accessed, without authentication, via the online means. When these incidents are reported, they are often submitted to HHS as hacking incidents, even though the root cause is human mistake.
The first half of the year saw 75 hacking incidents and 29 ransomware incidents reported. As was explained, ransomware incidents are similarly underreported, even though OCR has made it clear that ransomware attacks are breaches that must be reported. The true figure is likely to be much higher than this.
Hacking may be the second most experienced cause of breaches, but hacking has lead to the exposure/theft of the most records. 1,684,904 records were exposed/stolen due to hacking, 1,166,674 records were exposed/stolen by insiders, 112,302 records exposed due to theft/loss and 178,420 records accessed in incidents with unknown causes.
To put the figures into perspective, between January and December 2016 there were 450 incidents officially reported. Data breaches have been happening at a similar rate to 2016. While the amount of reported incidents has remained reasonably consistent, there has been an surge in the severity of those breaches with 2017 likely to see far more people impacted by breaches than 2016.
In 2016, around 2 million patients were hit by insider incidents. So far in 2017, 1.17 million people have already been impacted by insider incidents. Hacking incidents are also increasing. In 2016 there were 120 confirmed hacking attacks reported for the entire year. This year there have already been 75 reported incidents to date.
In June, 52 healthcare data breaches were submitted to the OCR, the highest total for any month of the year to date by some distance. The second largest monthly breach total was 39 incidents. June also had the third highest number of individuals impacted by the breaches, with 729,930 records found to beexposed or stolen.
Robert Lord explained that the time from the initial breach date to finding it is very bad in the healthcare sector. The average time to discover a breach was 325.6 days, with a median of 53 days. Healthcare providers are not discovering breaches quickly enough. Fast detection can significantly reduce the damage felt by patients, and as the Ponemon Institute has shown, also the cost of mitigation.
There is some better news though. The time taken to report breaches to OCR has improved over the first half of 2017. The mean time to report breaches is 54.5 days and the median 57 days. HIPAA allows 60 days to report data breaches and warn affected people. In June, both the mean and the median were shorter than the longest time frame allowed by the HIPAA Breach Notification Rule.
Dissent said that 2017 has been a “no good, horrible, very bad year.” Sadly, there is no evidence to suggest that the rest of the year will see any improvement. The remainder of 2017 is likely to be just as bad, and 2017 may exceed 2016 for both the number of breaches and the number of patients impacted by those breaches.
While other industries have hacking/malware as the main breach cause, insider incidents are the main for the healthcare sector. Healthcare groups need to take steps to avoid these breaches. As Robert Lord explained, technologies can be used to help stop insider incidents and detect them quickly when they happen.
One of the most important messages highlighted in the report is that people’s lives are seriously damaged by healthcare data breaches. More must be done to stop violations and breaches and ensure they are detected quickly. Quick detection and notification permits patients and health plan members to take steps to reduce the damage inflicted.